One effect of this particular behavior was to make removal of this threat very difficult. Apps that have set themselves up as administrators require user interaction to remove: but because the vulnerability hides the app, it can’t be removed.

In response to this threat, we have created the Hidden Device Admin Detector app. This tool’s purpose is simple: it allows users to keep track of and disable apps that have device administrator privileges but are hidden from Android Device Administrator list.

Most apps do not need to these device administrator privileges. One can think of them as being analogous to holding root access on a Linux/Unix machine, or having administrator access on Windows. It gives you complete control over the machine. Most apps do not need this level of access; this is why the user has to be prompted to enable these privileges. Apps that do require these privileges include security apps (like Trend Micro Mobile Security) and system administration apps that may be used in BYOD situations.

When run, the app will display the apps with administrator privileges that exploit this vulnerability to hide themselves:

Figure 1. Hidden Device Admin Detector app

From here, users can disable the privileges. Malicious apps with disabled administrator privileges can be removed normally, either by security products or the user.

Android does contain this feature as well, but because of the above vulnerability the list it provides may not be complete. Google may patch the vulnerability in the future, but the complicated Android update situation means many users will never get the patch. We recommend that all users download this app and periodically check for malicious apps on their Android devices.